On Sep 19, 2014 5:25 AM, "Chard" <[email protected]> wrote: > > Hi, > > I'm looking into Centralized agent configuration with OSSEC. > > I understand that you create the file var/ossec/etc/shared/agent.conf. > > But does this need to include all the default config of ossec as well as any additional option I may add? eg include this. > > <!-- OSSEC Win32 Agent Configuration. > - This file is compost of 3 main sections: > - - Client config - Settings to connect to the OSSEC server. > - - Localfile - Files/Event logs to monitor. > - - syscheck - System file/Registry entries to monitor. > --> > <!-- READ ME FIRST. If you are configuring OSSEC for the first time, > - try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent > - to execute it. > - > - First, add a server-ip entry with the real IP of your server. > - Second, and optionally, change the settings of the files you want > - to monitor. Look at our Manual and FAQ for more information. > - Third, start the Agent and enjoy. > - > - Example of server-ip: > - <client> <server-ip>1.2.3.4</server-ip> </client> > --> > > <ossec_config> > <!-- One entry for each file/Event log to monitor. --> > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > <!-- Rootcheck - Policy monitor config --> > <rootcheck> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 20 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>72000</frequency> > <!-- By default it is disabled. In the Install you must choose > - to enable it. > --> > <disabled>no</disabled> > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories> > <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net1.exe</directories> > <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/runas.exe</directories> > <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> > <directories check_all="yes">%WINDIR%/System32/subst.exe</directories> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories> > <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories> > <directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories> > <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > <!-- Windows registry entries to monitor. --> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry> > > <!-- Windows registry entries to ignore. --> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > </syscheck> > <active-response> > <disabled>no</disabled> > </active-response> > </ossec_config> > > OR > > Can I just add in the granular configuration for each agent like this and not bother with the default configuration? > > <agent_config name="agent1"> > <localfile> > <location>/var/log/my.log</location> > <log_format>syslog</log_format> > </localfile> > </agent_config> > > <agent_config name="agent2"> > <localfile> > <location>/var/log/my.log</location> > <log_format>syslog</log_format> > </localfile> > </agent_config> > >
Ossec combines the agent.conf and ossec.conf, so you should only need to include additions. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
